Monday, 12 December 2011

Over the weekend, one of our users had a pretty strange event happen. The basic chain of events went like this:

The user receives an (expected) MMS message to their work and personal phones at the same time. Both these numbers are on vodafone.

The user immediately starts receiving dozens of other MMS messages from numbers they don't recognise.

After 10 minutes, the user turns off both phones.When they're turned back on, the messages have stopped.

While they'd been wiped off the personal phone, I got to have a look at the work phone this morning. The MMSes had all arrived at her email address which makes things a bit easier to analyse.

From this we can see:

These were, beyond a doubt, not intended for her. The only thread even linking all the recipients (and senders) is that they're australian.

The messages all came through vodafones servers.

The messages all have a send time approximately that of the receive. That doesn't necessarily mean that this was essentially a live capture of their MMS traffic, but it seems likely.

A quick look at some messages shows a high incidence of people from WA. That could mean it was a WA-only issue, or it could be due to the time difference between us and the Eastern States.

These are real MMSes. They are not spam, they were sent by real people who did not expect them to be made public.

Here's a good example of the kind of thing that was leaked.
.

A student card. To go with his phone number, they gave us the high school, full name, date of birth, and some photo ID of a minor. Believe me when I say that this was far from the most personal piece of information there.

Most worryingly, Somebody has mentioned to me since then that a friend of theirs had the same thing happen yesterday - hundreds of PXTs being misdirected to his phone. He thought it was some kind of spam and changed his number, which is a shame.

I'd love to find somebody else who had this happen and still has some messages. With some more data we can work out a few more details:

The time period. It was about 10 minutes for this case, but that may have just been the tail end - it could have been going for weeks in the right conditions.

The trigger. I'm guessing it was 'receiving or sending a PXT message', but again I need more data.

Whether the same messages were sent to everybody. Everybody getting the same stream of messages is a much smaller problem than everybody receiving separate streams

With all of that, we can work out the scale of what happened here, and hopefully notify some of the customers who unexpectedly had their personal messages made public.

I should also mention: I've contacted vodafone about this (via the authorised partner we deal with), but I haven't heard back yet. I'm very interested to hear their response.